#!/usr/bin/env bash # Install and configure Nginx on RPC containers with domain-specific SSL on port 443 # Domain mappings: # VMID 2501 (Permissioned RPC) → rpc-http-prv.d-bis.org, rpc-ws-prv.d-bis.org (JWT auth required) # VMID 2502 (Public RPC) → rpc-http-pub.d-bis.org, rpc-ws-pub.d-bis.org (No auth) set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color info() { echo -e "${GREEN}[INFO]${NC} $1"; } warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } error() { echo -e "${RED}[ERROR]${NC} $1"; } # Domain mappings # VMID 2501 = Permissioned RPC (requires authentication) → rpc-http-prv, rpc-ws-prv # VMID 2502 = Public RPC (no authentication) → rpc-http-pub, rpc-ws-pub declare -A RPC_CONFIG=( [2501_HTTP]="rpc-http-prv.d-bis.org" [2501_WS]="rpc-ws-prv.d-bis.org" [2502_HTTP]="rpc-http-pub.d-bis.org" [2502_WS]="rpc-ws-pub.d-bis.org" ) declare -A RPC_IPS=( [2501]="192.168.11.251" [2502]="192.168.11.252" ) declare -A RPC_HOSTNAMES=( [2501]="besu-rpc-2" [2502]="besu-rpc-3" ) VMIDS=(2501 2502) info "Installing Nginx on RPC containers with domain configuration..." info "Proxmox Host: $PROXMOX_HOST" info "Containers: ${VMIDS[*]}" echo "" # Function to create Nginx config create_nginx_config() { local vmid=$1 local http_domain="${RPC_CONFIG[${vmid}_HTTP]}" local ws_domain="${RPC_CONFIG[${vmid}_WS]}" local hostname="${RPC_HOSTNAMES[$vmid]}" local ip="${RPC_IPS[$vmid]}" local config="# HTTP to HTTPS redirect server { listen 80; listen [::]:80; server_name $http_domain $ws_domain $hostname $ip; return 301 https://\$host\$request_uri; } # HTTPS server - HTTP RPC API server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name $http_domain $hostname $ip; ssl_certificate /etc/nginx/ssl/rpc.crt; ssl_certificate_key /etc/nginx/ssl/rpc.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always; add_header X-Frame-Options \"SAMEORIGIN\" always; add_header X-Content-Type-Options \"nosniff\" always; add_header X-XSS-Protection \"1; mode=block\" always; access_log /var/log/nginx/rpc-http-access.log; error_log /var/log/nginx/rpc-http-error.log; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; send_timeout 300s; location / { proxy_pass http://127.0.0.1:8545; proxy_http_version 1.1; proxy_set_header Host localhost; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_set_header Connection \"\"; proxy_buffering off; proxy_request_buffering off; } location /health { access_log off; return 200 \"healthy\\n\"; add_header Content-Type text/plain; } } # HTTPS server - WebSocket RPC API server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name $ws_domain; ssl_certificate /etc/nginx/ssl/rpc.crt; ssl_certificate_key /etc/nginx/ssl/rpc.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always; add_header X-Frame-Options \"SAMEORIGIN\" always; add_header X-Content-Type-Options \"nosniff\" always; add_header X-XSS-Protection \"1; mode=block\" always; access_log /var/log/nginx/rpc-ws-access.log; error_log /var/log/nginx/rpc-ws-error.log; location / { proxy_pass http://127.0.0.1:8546; proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection \"upgrade\"; proxy_set_header Host localhost; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_read_timeout 86400; proxy_send_timeout 86400; } location /health { access_log off; return 200 \"healthy\\n\"; add_header Content-Type text/plain; } } " echo "$config" } # Function to install Nginx on a container install_nginx_on_container() { local vmid=$1 local ip="${RPC_IPS[$vmid]}" local hostname="${RPC_HOSTNAMES[$vmid]}" local http_domain="${RPC_CONFIG[${vmid}_HTTP]}" local ws_domain="${RPC_CONFIG[${vmid}_WS]}" echo "==========================================" info "Processing VMID $vmid ($hostname - $ip)" info " HTTP Domain: $http_domain" info " WS Domain: $ws_domain" echo "==========================================" # Check if container is running STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct status $vmid 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown") if [[ "$STATUS" != "running" ]]; then warn "Container $vmid is not running (status: $STATUS), skipping..." return 1 fi # Install Nginx info "Installing Nginx on VMID $vmid..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $vmid -- bash -c ' export DEBIAN_FRONTEND=noninteractive apt-get update -qq apt-get install -y -qq nginx openssl '" || { error "Failed to install Nginx on VMID $vmid" return 1 } info "✓ Nginx installed" # Generate SSL certificate info "Generating SSL certificate for $http_domain..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $vmid -- bash -c ' mkdir -p /etc/nginx/ssl openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \\ -keyout /etc/nginx/ssl/rpc.key \\ -out /etc/nginx/ssl/rpc.crt \\ -subj \"/CN=$http_domain/O=RPC Node/C=US\" 2>/dev/null chmod 600 /etc/nginx/ssl/rpc.key chmod 644 /etc/nginx/ssl/rpc.crt '" || { error "Failed to generate SSL certificate" return 1 } info "✓ SSL certificate generated" # Create and deploy Nginx configuration info "Creating Nginx configuration..." local nginx_config=$(create_nginx_config $vmid) ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $vmid -- bash" < /etc/nginx/sites-available/rpc <<'NGINX_EOF' $nginx_config NGINX_EOF # Enable the site ln -sf /etc/nginx/sites-available/rpc /etc/nginx/sites-enabled/ rm -f /etc/nginx/sites-enabled/default # Test configuration nginx -t # Reload Nginx systemctl enable nginx systemctl restart nginx EOF if [[ $? -eq 0 ]]; then info "✓ Nginx configured and started" else error "Failed to configure Nginx" return 1 fi # Verify if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $vmid -- systemctl is-active nginx >/dev/null 2>&1"; then info "✓ Nginx service is active" else error "Nginx service is not active" return 1 fi if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \ "pct exec $vmid -- ss -tuln | grep -q ':443'"; then info "✓ Port 443 is listening" else warn "Port 443 may not be listening" fi echo "" return 0 } # Install on each container SUCCESS=0 FAILED=0 for vmid in "${VMIDS[@]}"; do if install_nginx_on_container "$vmid"; then SUCCESS=$((SUCCESS + 1)) else FAILED=$((FAILED + 1)) fi done # Summary echo "==========================================" info "Installation Summary:" echo " Success: $SUCCESS" echo " Failed: $FAILED" echo " Total: ${#VMIDS[@]}" echo "==========================================" if [[ $FAILED -gt 0 ]]; then exit 1 fi info "Nginx installation complete!" echo "" info "Domain mappings configured:" echo " rpc-http-prv.d-bis.org → VMID 2501 (Permissioned HTTP RPC on port 443) - JWT auth required" echo " rpc-ws-prv.d-bis.org → VMID 2501 (Permissioned WebSocket RPC on port 443) - JWT auth required" echo " rpc-http-pub.d-bis.org → VMID 2502 (Public HTTP RPC on port 443) - No auth" echo " rpc-ws-pub.d-bis.org → VMID 2502 (Public WebSocket RPC on port 443) - No auth" echo "" info "Next steps:" echo " 1. Configure DNS records in Cloudflare to point to container IPs" echo " 2. Replace self-signed certificates with Let's Encrypt if needed" echo " 3. Test: curl -k https://rpc-http-pub.d-bis.org/health"